10-26-2012 07:23 AM - edited 03-11-2019 05:14 PM
Hi All,
we have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.
Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with
same-security-traffic permit inter-interface configured.
I'm sure I'm missing something here any expertise would be very grateful as been at this for a few days now!!! I have just included the config that probably needs to be looked at for NAT exempt and routing issues.
Config:
!
interface Ethernet0/0
speed 100
no nameif
no security-level
no ip address
!
interface Ethernet0/0.280
vlan 280
nameif vpn_link
security-level 100
ip address 10.11.xx.xx 255.255.255.252
!
interface Ethernet0/0.281
vlan 281
nameif outside
security-level 0
ip address 203.xx.xx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
------extracted for brievity--------
same-security-traffic permit inter-interface
access-list outside-in extended permit ip 192.168.10.0 255.255.255.0 Inside_Network 255.255.255.0
access-list outside-in extended permit tcp any host 203.xx.xx.xx eq www
access-list outside-in extended permit tcp any host 203.xx.xx.xx eq https
access-list outside-in extended permit tcp any host 203.xx.xx.xx eq 3389
access-list outside-in extended permit tcp any host 203.xx.xx.xx eq https
access-list Tunnel_Traffic standard permit 192.168.0.0 255.255.255.0
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list split remark Traffic to Remote site NAT exempt
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn_link_access_in remark Test
access-list vpn_link_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list vpn_link_access_in remark test
access-list vpn_link_access_in extended permit ip any any
access-list inside_access_in remark Allow access from remote office
access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
!
nat (inside) 0 access-list split
nat (inside) 5 0.0.0.0 0.0.0.0
!
access-group vpn_link_access_in in interface vpn_link
access-group inside_access_in in interface inside
access-group outside-in in interface outside
!
route outside 0.0.0.0 0.0.0.0 203.xx.xx.xx 1
route vpn_link 192.168.10.0 255.255.255.0 10.11.xx.xx 1
Please let me know other config u may want to see.
appreciate the assist.
10-26-2012 07:32 AM
The remote office range is 192.168.10.xx/24 which is reachable via interface VPN_link as mentioned but not via inside interface 192.168.0.xx
thanks
10-26-2012 11:18 AM
Hello Joseph,
Please add the following:
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
Let me know if this works.
Regards,
Julio
10-26-2012 05:33 PM
Hi Julio,
added:
access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 Inside_Network 255.255.255.0
to the above config.
still no luck:
ASA# ping inside 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
but again with vpn_link:
ALTUS-ASA# ping vpn_link 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
any other thoughts. I know by default this behaviour is not allowed, however I would of thought applying an access-list should overide this. Only inside_interface is NAT for internal users to web browsing which is working for some reason yesterday it broke, I had to do a permit any any??? to make it work though!
10-26-2012 05:56 PM
Julio,
did you mean to add to extended ACL?
access-list inside_access_in extended
Thanks.
10-27-2012 12:43 PM
Hello
Do the following and share the output you get ( full output)
packet-tracer input inside icmp 192.168.0.10 8 0 192,168.10.10
Regards
10-27-2012 06:33 PM
Hey,
please see below, I've only edit the dynamic NAT ip 203.xx.xx.xx, I see allow but still can't ping from ASA cmd line.
packet-tracer input inside icmp 192.168.0.10 8 0 192.168.10.10packet-tracer input inside icmp 192.168.0.10 8 0 192.168.10.2
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.0 255.255.255.0 vpn_link
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any
access-list inside_access_in remark Allow access from Erina
<--- More --->
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
<--- More --->
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound outside
match ip inside Inside_Network 255.255.255.0 vpn_link 192.168.10.0 255.255.255.0
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 203.xx.xx.xx smtp 192.168.0.10 smtp netmask 255.255.255.255
match tcp inside host 192.168.0.10 eq 25 outside any
static translation to 203.149.75.177/25
translate_hits = 1122, untranslate_hits = 3497
Additional Information:
Phase: 11
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 5 0.0.0.0 0.0.0.0
match ip inside any vpn_link any
dynamic translation to pool 5 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 12
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 163663, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: vpn_link
output-status: up
output-line-status: up
Action: allow
ASA# ping inside 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA# ping vpn_link 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
10-27-2012 11:07 PM
Hello Joseph,
Packet tracer looks good...
That can't be done. Ping from the ASA itself to a host on vlan x sourced from vlan y... You need to do it from a real host... And that my fried based on the packet tracer should work.
Remember to rate all of the helpful posts If you need any assitance on that just let me know
Julio
10-28-2012 03:07 AM
Hi Julio,
you are correct. I was mislead by my friends in systems team. Who logged into the remote router and advised they could not ping the inside_network. I logged in via VPN (had to change the tunnel_traffic to allow me to reach all internal traffic)and was able to!!!! My guess is they didn't do a source ping from 192.168.10.xx.
So it was always working and I've been sent on a wild goose chase!!
So the obvious question is why is it not possible to ping from ASA? how would you test this unless your on a real host?
also sorry for the many questions is there a command I can use like above to test if web(http traffic) from remote end to 192.168.10.xx to internet is working?
thanks!
this turned out to be a melodrama!
10-28-2012 10:21 AM
Hello Joseph,
For security reasons, the asa was created to provide as much security as possible, it is intended that will be used to restrict and monitor traffic not to test connectivity across different broadcast domains.
Now how to test this stuff?
Simple, using packet-tracer. Please get used to that command, I ensure that will help you a LOT on future cases where you thing there is no where to go..
Example: How to know if an inside user can go to the internet?
packet-tracer input inside tcp 192.168.0.10 1026 4.2.2.2 80
Hope this helps,
Remember to rate all of the helpful posts, If you do not know how to rate a post, let me know. I will help you on that as well
10-31-2012 09:54 PM
Sorry for late reply. Yes the posts has been very helpful for troublshooting. Please show how to rate post.
Thanks Hulio.
Joseph
10-31-2012 10:13 PM
Hello Joseph.
Do not worry Glad that I could see that I helped.
You can go to every reply and on the bottom you can see 5 stars, you can click them ( 1 being a bad answer and 5 being a great answer)
Let me know if you have any other question..
Also you can mark the question as answered ( as you open the discussion you are the only allowed to mark it as answered)
Julio
Have a great night!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide